You can migrate users (with their encrypted passwords), and groups from the default embedded WebLogic LDAP server into an alternative authentication provider (for example, OID, external tables, or another LDAP directory). For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

2.1 Working with the Default Users, Groups, and Application Roles

When you install Oracle Business Intelligence, there are a number of preconfigured Users, Groups, and Application Roles that you can use to deploy Oracle Business Intelligence. For example, there is a user that is assigned to a BIAdministrators group (with a name that is user-specified at installation time, for example Weblogic), a group named 'BIAdministrators', and an associated Application Role named 'BIAdministrator'. The default installed Users, Groups, and Application Roles are preconfigured to work together. For example, the installed BIConsumers group is assigned to the BIConsumer Application Role. For a detailed description of the default security configuration, refer to Appendix B, "Understanding the Default Security Configuration".

Caution:

Oracle recommends that you do not modify the default Users, Groups, or Application Roles, unless explicitly advised to do so by Oracle Support. Oracle recommends that you only modify copies that you have made of the installed Groups and Application Roles.

The installed Application Roles are preconfigured with appropriate permissions and privileges to enable them to work with the installed Oracle BI Presentation Catalog, BI Repository (RPD), and Policy Store. For example, the Application Role named BIAuthor is preconfigured with permissions and privileges that are required to create dashboards, reports, actions, and so on.

The figure below shows the Users, Groups, and Application Roles that are installed and preconfigured.

The user that is specified at installation time (for example, Weblogic), is automatically assigned to the WebLogic Administrators group named 'BIAdministrators' and to the associated Application Role named 'BIAdministrator'. The user has permissions to log in to the Oracle Business Intelligence tools to create and administer other users.

Note: Groups are organized hierarchically, and inherit privileges from parent groups. In other words, the BIAdministrators group automatically inherits privileges from the BIAuthors and BIConsumers groups. Oracle recommends that you do not change this hierarchy.

You can use the installed groups and Application Roles to deploy security, and if required you can develop your own groups and Application Roles to meet your business needs. For example:

If you want to enable an employee called Fred to create dashboards and reports, you might create a new user called 'Fred' and assign 'Fred' to the default BIAuthors group.

If you want to enable user Fred to perform BIAuthors and BIAdministrator duties, you might create a new Application Role called 'BIManager', which has both BIAuthors privileges and BIAdministrators privileges

If you want user Fred to be a Sales dashboard author, you might create an Application Role called 'Sales Dashboard Author' that has permissions to see Sales subject areas in the repository and edit Sales dashboards.

2.2 An Example Security Setup Using the Default Groups and Application Roles

This example uses a small set of Users, Groups, and Application Roles to illustrate how you set up a security policy using the default groups and Application Roles. In this example, you want to implement the following:

Three users named User1, User2, and User3, who need to view business intelligence reports.

Two users named User4 and User5, who need to create business intelligence reports.

Two users named User6 and User7, who administer Oracle Business Intelligence.

The figure below shows the Users, Groups, and Application Roles that you would deploy to implement this security model.

Figure 2-2 Example Groups, Application Roles, and Users

The example above shows the following:

The group named 'BIConsumers' contains User1, User2, and User3. Users in the group 'BIConsumers' are assigned to the Application Role named 'BIConsumer', which enables the users to view reports.

The group named 'BIAuthors' contains User4 and User5. Users in the group 'BIAuthors' are assigned to the Application Role named 'BIAuthor', which enables the users to create reports.

The group named 'BIAdministrators' contains User6 and User7. Users in the group 'BIAdministrators' are assigned to the Application Role named 'BIAdministrator', which enables the users to manage repositories.

2.3.1 Overview of Setting Up Users, Groups, and Application Roles

This section summarizes recommended approaches for setting up Users, Groups, and Application Roles.

The simplest way to set up security is to create Users and assign them to the default groups (that is, BIConsumers, BIAuthors, or BIAdministrators).

For example, you might create a user called Fred and assign Fred to the default group named BIAuthors. The group BIAuthors is preconfigured with the privileges it requires to access the other BI components, such as the metadata repository (RPD) and Oracle BI Presentation Catalog.

If the default groups (that is, BIConsumers, BIAuthors, or BIAdministrators) do not meet your business requirements, you can extend the default security model by creating your own groups and Application Roles.

For example, you might want to create a user called Jim and assign Jim to a new group called BIMarketingGroup that is assigned to a new Application Role named BIMarketingRole.

2.3.2 Launching Oracle WebLogic Server Administration Console

Oracle WebLogic Server is automatically installed and serves as the default administration server. The Administration Console is browser-based and is used, among other things, to manage the embedded directory server that is configured as the default authenticator. It is launched by entering its URL into a Web browser. The default URL takes the following form: http://hostname:port_number/console. The port number is the same as used for the Administration Server; 7001 is the default. For more information about using the Administration Console, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.

To launch the Oracle WebLogic Server Administration Console:

Log in to Oracle WebLogic Serverr by entering its URL into a Web browser.

Log in using the Oracle Business Intelligence administrative user and password credentials and click Login.

The user name and password were supplied during the installation of Oracle Business Intelligence. If these values have since been changed, then use the current administrative user name and password combination.

2.3.3 Creating a New User in the Embedded WebLogic LDAP Server

You typically create a separate user for each business user in your Oracle Business Intelligence environment. For example, you might plan to deploy 30 report consumers, three report authors, and 1 administrator. In this case, you would use Oracle WebLogic Server Administration Console to create 34 users, which you would then assign to appropriate groups (for example, you might use the preconfigured groups named BIConsumers, BIAuthors, and BIAdministrators).

Name: Enter the name of the user. See online help for a list of invalid characters.

(Optional) Description: Enter a description.

Provider: Select the authentication provider from the list that corresponds to the identity store where the user information is contained. DefaultAuthenticator is the name for the default authentication provider.

Password: Enter a password for the user that is at least 8 characters long.

2.3.4 Creating a Group in the Embedded WebLogic LDAP Server

You typically create a separate group for each functional type of business user in your Oracle Business Intelligence environment. For example, a typical deployment might require three groups: BIConsumers, BIAuthors, and BIAdministrators. In this case, you could either use the preconfigured groups named BIConsumers, BIAuthors, and BIAdministrators that are installed with Oracle Business Intelligence, or you might create your own custom groups.

In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm.

Select Users and Groups tab, then Groups. Click New

In the Create a New Group page provide the following information:

Name: Enter the name of the group. Group names are case insensitive but must be unique. See online help for a list of invalid characters.

(Optional) Description: Enter a description.

Provider: Select the authentication provider from the list that corresponds to the identity store where the group information is contained. DefaultAuthenticator is the name for the default authentication provider.

Click OK

The group name is added to the Group table.

2.3.5 Assigning a User to a Group in the Embedded WebLogic LDAP Server

You typically assign each user to an appropriate group. For example, a typical deployment might require user IDs created for report consumers to be assigned to a group named BIConsumers. In this case, you could either assign the users to the default group named BIConsumers, or you could assign the users to your own custom group that you have created.

Select the Passwords tab and enter the password in the New Password and Confirm Password fields.

Click Save.

Note: If you change the password of the system user, you also need to change it in the credential store.

2.4 Creating and Managing Application Roles and Application Policies Using Fusion Middleware Control

In Oracle Business Intelligence, you use Fusion Middleware Control to manage Application Roles and Application Policies that provide permissions for users and groups. For detailed information about using Fusion Middleware Control, see Oracle Fusion Middleware Administrator's Guide.

If you are using the default groups (that is, BIConsumers, BIAuthors, and BIAdministrators) that are installed with the default embedded WebLogic LDAP Server, then these groups are assigned to an appropriate Application Role (that is, BIConsumer, BIAuthor, or BIAdministrator). No additional steps are required to assign the default groups to Application Roles.

The simplest way to set up security is to assign your groups to the default Application Roles, (that is, BIConsumer, BIAuthor, and BIAdministrator). Each default group is preconfigured to use the appropriate default Application Role. For example, the default group named BIAuthors is assigned to the default Application Role named BIAuthor. In other words, any users that you add to the default group named BIAuthors automatically have the privileges required to create reports and perform related duties.

If you want to create a more complex or fine grained security model, you might create your own Application Roles and Application Policies as described in this section. For example, you might want report authors in a Marketing department to only have write-access to the Marketing area of the metadata repository and Oracle BI Presentation Catalog. To achieve this, you might create a new Application Role called BIAuthorMarketing, and provide it with appropriate privileges.

Caution:

If you are deploying the default Policy Store, then Oracle recommends that you make a copy of the original system-jazn-data.xml policy file and place it in a safe location. Use the copy of the original file to restore the default policy store configuration, if needed. Changes to the default security configuration might lead to an unwanted state. The default location is MW_HOME/user_projects/domain/your_domain/config/fmwconfig.

To set up the Application Roles that you want to deploy, do the following:

2.4.1.1 Overview

Fusion Middleware Control is a Web browser-based, graphical user interface that you can use to monitor and administer a farm. A farm is a collection of components managed by Fusion Middleware Control. It can contain Oracle WebLogic Server domains, one Administration Server, one or more Managed Servers, clusters, and the Oracle Fusion Middleware components that are installed, configured, and running in the domain. During installation an Oracle WebLogic Server domain is created and Oracle Business Intelligence is installed into that domain. If you performed a Simple or Enterprise installation type, this domain is named bifoundation_domain and is located under WebLogic Domain in the Fusion Middleware Control target navigation pane.

Launch Fusion Middleware Control by entering its URL into a Web browser. The URL includes the name of the host and the administration port number assigned during the installation. This URL takes the following form: http://hostname:port_number/em. The default port is 7001.

There are several methods available for accessing the common Fusion Middleware Control security pages used when managing the Oracle Business Intelligence security configuration. Depending upon the access point used in the target navigation pane, the obi application stripe is pre-selected for you. The access points are as follows:

From coreapplication - You can reach the Application Policies and Application Roles pages using a shortcut menu. The obi application stripe is pre-selected and the Oracle Business Intelligence Application Policies or Application Roles are displayed. You cannot reach all Fusion Middleware Control Security menu options from this shortcut menu.

From bifoundation_domain - If you select either Application Policies or Application Roles from the Security menu, the obi application stripe must be selected and a search initiated. All Fusion Middleware Control Security menu options are available from this method.

2.4.1.2 Displaying the Security Menu in Fusion Middleware Control from coreapplication

To display the Security menu in Fusion Middleware Control from coreapplication:

Using one of the following methods provides a shortcut for accessing the Application Policies or Application Roles pages with the obi (Oracle Business Intelligence) application stripe pre-selected and the corresponding Oracle Business Intelligence policies or roles displaying (the Policy Store is organized by stripe and we use the obi stripe).

Log in to Fusion Middleware Control by entering the URL in a Web browser.

From the content pane, select the Business Intelligence Instance menu, then select Security to display a submenu with Application Policies and Application Roles as options.

Select Application Policies or Application Roles as needed. The obi (Oracle Business Intelligence) application stripe is selected and the corresponding Oracle Business Intelligence policies or roles are displayed.

The following figure shows an example of Application Policies page displaying the default Oracle Business Intelligence Application Policies.

2.4.2.1 Overview

In a new Oracle Business Intelligence deployment, you typically create an Application Role for each type of business user activity in your Oracle Business Intelligence environment. For example, a typical deployment might require three Application Roles: BIConsumer, BIAuthors, and BIAdministrator. In this case, you could either use the preconfigured Application Roles named BIConsumer, BIAuthor, and BIAdministrator that are installed with Oracle Business Intelligence, or you could create your own custom Application Roles. For more information about the default Application Roles, see Section 2.1, "Working with the Default Users, Groups, and Application Roles".

Oracle Business Intelligence Application Roles represent a role that a user has. For example, having the Sales Analyst Application Role might grant a user access to view, edit and create reports on a company's sales pipeline. You can create new Application Roles to supplement or replace the default roles configured during installation. Keeping Application Roles separate and distinct from the directory server groups enables you to better accommodate authorization requirements. You can create new Application Roles to match business roles for your environment without needing to change the groups defined in the corporate directory server. To control authorization requirements more efficiently, you can then assign existing groups of users from the directory server to Application Roles.

Note:

Before creating a new Application Role and adding it to the default Oracle Business Intelligence security configuration, familiarize yourself with how permission and group inheritance works. It is important when constructing a role hierarchy that circular dependencies are not introduced. For more information, see Section B.4.4, "How Permissions Are Granted Using Application Roles".

2.4.2.2 Creating an Application Role

Create New - A new Application Role is created. Members can be added at the same time or you can save the new role after naming it and add members later.

Copy Existing - A new Application Role is created by copying an existing Application Role. The copy contains the same members as the original, and is made a Grantee of the same Application Policy as is the original. Modifications can be made as needed to the copy to further customize the new Application Role.

Membership in an Application Role is controlled using the Application Roles page in Fusion Middleware Control. Valid members of an Application Role are Users, Groups, and other Application Roles.

ClickCreate to display the Create Application Role page. You can enter all information at once or you can enter a Role Name, save it, and complete the remaining fields later. Complete the fields as follows:

In the General section:

Role Name - Enter the name of the Application Role

(Optional) Display Name - Enter the display name for the Application Role.

(Optional) Description - Enter a description for the Application Role.

In the Members section, select the Users, Groups, or Application Roles to be assigned to the Application Role. Select Add Application Role or Add Group or Add Users accordingly. To search in the dialog box that displays:

Enter a name in Name field and click the blue button to search.

Select from the results returned in the Available box.

Use the shuttle controls to move the desired name to the Selected box.

Click OK to return to the Create Application Role page.

Repeat the steps until all desired members are added to the Application Role.

Click OK to return to the Application Roles page.

The Application Role just created displays in the table at the bottom of the page.

To create an Application Role based on an existing one:

Log in to Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

2.4.2.3 Assigning a Group to an Application Role

You assign a group to an Application Role to provide users in that group with appropriate security privileges. For example, a group for marketing report consumers named BIMarketingGroup might require an Application Role called BIConsumerMarketing, in which case you assign the group named BIMarketingGroup to the Application Role named BIConsumerMarketing.

To assign a group to an Application Role:

Log in to Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

Select an Application Role in the list and click Edit to display an edit dialog, and complete the fields as follows:

In the Members section, use the Add Group option to add the group that you want to assign to the Roles list.

For example, if a group for marketing report consumers named BIMarketingGroup require an Application Role called BIConsumerMarketing, then add the group named BIMarketingGroup to Roles list.

Click OK to return to the Application Roles page.

2.4.3 Creating Application Policies Using Fusion Middleware Control

You can create Application Roles based on default preconfigured Application Policies, or you can create your own Application Policies.

Application Policies do not apply privileges to RPD or Oracle BI Presentation Catalog objects and functionality.

All Oracle Business Intelligence permissions are provided as part of the installation and you cannot create new permissions. The Application Policy is the mechanism that defines the permissions grants. Permission grants are controlled in the Fusion Middleware Control Application Policies page. The permission grants are defined in an Application Policy. An Application Role, User, or Group, is then assigned to an Application Policy. This process makes the Application Role a Grantee of the Application Policy.

There are two methods for creating a new Application Policy:

Create New - A new Application Policy is created and permissions are added to it.

Copy Existing - A new Application Policy is created by copying an existing Application Policy. The copy is named and existing permissions are removed or permissions are added.

Whether or not the obi application stripe is pre-selected and the Oracle Business Intelligence Application Policies are displayed depends upon the method used to navigate to the Application Policies page.

If necessary, select Select Application Stripe to Search, then select the obi from the list. Click the search icon next to Role Name.

The Oracle Business Intelligence Application Policies are displayed. The Principal column displays the name of the policy Grantee.

Select the desired Oracle Business Intelligencer permission and click OK. Repeat until all desired permissions are selected. Selecting non-Oracle Business Intelligence permissions have no effect in the policy.

To remove any items, select it and click Delete.

You are returned to the Create Application Grant page. The selected permissions display in the Permissions area.

To add an Application Role to the policy being created, click Add Application Role in the Grantee area to display the Add Application Role dialog.

Complete the Search area and click the blue search button next to the Resource Name field.

Select from the Available Roles list and use the shuttle controls to move it to Selected Roles.

Click OK.

You are returned to the Application Policies page. The Principal and Permissions of the policy created are displayed in the table. The following figure shows the new Application Policy just created with MyNewRole Application Role as the Grantee (Principal).

Click Create Like to display the Create Application Grant Like page. The Permissions table is automatically filled in with permissions granted by the policy selected.

The following figure shows the Create Application Grant Like dialog after the BIAuthor policy has been selected. Note that the Permissions section is completed with the permission grants for the BIAuthor policy.

The members of an Application Role can be changed using Oracle Fusion Middleware Control. If an Application Role is the Grantee of an Application Policy, the permissions grants are changed by modifying the permission grants of the corresponding Application Policy.

Caution:

Oracle recommends that you do not change the permission grants and membership for the default Application Roles name BIConsumer, BIAuthor, and BIAdministrator.

2.4.4.1 Adding or Removing Permission Grants from an Application Role

Use this procedure if you want to change the permission grants for an Application Role This is done by adding or removing the permission grants for the Application Policy which the Application Role is a grantee of.

To add or remove permission grants from an Application Policy:

Log in to Fusion Middleware Control, navigate to Security, then select Application Policies to display the Application Policies page.

Whether or not the obi stripe is pre-selected and the Application Policies are displayed depends upon the method used to navigate to the Application Policies page.

If necessary, select Select Application Stripe to Search, then select obi from the list. Click the search icon next to Role Name.

The Oracle Business Intelligence Application Policies are displayed. The Principal column displays the name of the policy Grantee.

Select the Application Role from the Principal column and click Edit.

Add or delete permissions from the Edit Application Grant view and click OK to save the changes.

2.4.4.2Adding or Removing Members from an Application Role

Members can be added to or deleted from an Application Role using Fusion Middleware Control. You must perform these tasks while in the WebLogic Domain that Oracle Business Intelligence is installed in. For example, bifoundation_domain. Valid members of an Application Role are Users, Groups, or other Application Roles. Being assigned to an Application Role is to become a member of an Application Role. Best practice is to assign groups instead of individual users to Application Roles.

Note:

Be very careful when changing the permission grants and membership for the default Application Roles. For example, the BISystem Application Role provides the permissions required for system communication and changes to it could result in an unusable system.

To add or remove members from an Application Role:

Log in to Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

Whether or not the obi application stripe is pre-selected and the Application Policies are displayed depends upon the method used to navigate to the Application Roles page

If necessary, select Select Application Stripe to Search, then select the obi from the list. Click the search icon next to Role Name.

The Oracle Business Intelligence Application Roles are displayed.

Select the cell next to the Application Role name and click Edit to display the Edit Application Role page.

You can add or delete members from the Edit Application Role page. Valid members are Application Roles, Groups, and Users.

From Members, select from the following options:

To delete a member: Select the Name of the member to activate the Delete button. Click Delete.

To add a member: Click the Add button that corresponds to the member type being added. Select from Add Application Role, Add Group, and Add User.

If adding a member, complete Search and select from the available list. Use the shuttle controls to move the member to the selected field. Click OK.

For example, the following figure shows the Add Group dialog and after the Report_Dev group has been selected.

The added member displays in the Members column corresponding to the Application Role modified in the Application Roles page. For example, the following figure shows the Edit Application Role page for the MyNewRole Application Role after the Report_Dev group has been added.

Click OK in the Edit Application Role page to return to the Application Roles page.

The members just added to the Application Role display in the Members section. If members were deleted, they no longer display.

The following figure shows the MyNewRole Application Role with the just added member Report_Dev group displaying.

2.5.1 Overview

You use Identity Manager in the Oracle BI Administration Tool to manage permissions for Application Roles, and set access privileges for objects such as subject areas and tables. For an overview about using the Oracle BI Administration Tool to configure security, see Section 1.7.3, "About Using the Oracle BI Administration Tool".

Note:

Oracle Business Intelligence Applications customers should read this section to understand the basics about security and setting up authentication, and then refer to the security and configuration information provided in the Oracle Business Intelligence Applications documentation.

2.5.2 Setting Repository Privileges for an Application Role

The default Application Roles (that is, BIConsumer, BIAuthor, and BIAdministrator) are preconfigured with permissions for accessing the metadata repository. If you create a new Application Role, you must set appropriate repository permissions for the new Application Role, to enable that role to access the metadata repository (RPD).

Open the repository in the Oracle BI Administration Tool (in Online mode).

In the Presentation panel, navigate to the subject area or sub-folder for which you want to set permissions.

Right-click the subject area or sub-folder and choose Properties to display the properties dialog.

For example, to provide access to the Paint subject area, right-click Paint.

Click Permissions to display the Permissions <Name> dialog.

Note: Ensure that the Show all users/application roles check box is selected.

Use the Permissions <Name> dialog to change the security permissions for Application Roles in the User/Application Role list.

For example, to enable users to create dashboards and reports, you might change the repository permissions for an Application Role named BISalesAnalysis from 'Read' to 'Read/Write'.

Note: Best practice is to modify permissions for Application Roles, not modify permissions for individual users.

Tip:

To see all permissions for an object in the Presentation pane, right-click the object and choose Permission Report to display a list of Users and Application Roles and what permissions that have for the selected object.

2.5.3 Advanced Security Configuration Topics

This section contains advanced topics.

2.5.3.1 About Managing Application Roles in the Metadata Repository

Application Role definitions are maintained in the policy store and any changes must be made using the administrative interface. The repository maintains a copy of the policy store data to facilitate repository development. The Oracle BI Administration Tool displays Application Role data from the repository's copy; you are not viewing the policy store data in real time. Policy store changes made while you are working with an offline repository are not available in the Administration Tool until the policy store next synchronizes with the repository. The policy store synchronizes data with the repository copy whenever BI Server restarts; if a mismatch in data is found, an error message is displayed.

While working with a repository in offline mode, you might discover that the available Application Roles do not satisfy the membership or permission grants needed at the time. A placeholder for an Application Role definition can be created in the Administration Tool to facilitate offline repository development. But this is just a placeholder visible in the Administration Tool and is not an actual Application Role. You cannot created an actual Application Role in the Administration Tool. You can create an Application Role only in the policy store, using the administrative interface available for managing the policy store.

An Application Role must be defined in the policy store for each Application Role placeholder created using the Administration Tool before bringing the repository back online. If a repository with role placeholders created while in offline mode is brought online before valid Application Roles are created in the policy store, then the Application Role placeholder disappears from the Administration Tool interface. Always create a corresponding Application Role in the policy store before bringing the repository back online when using role placeholders in offline repository development.

For more information about how to create a placeholder for an Application Role during repository development, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

2.6.1 Overview

The Oracle BI Presentation Server uses Presentation Services Catalog privileges to control access to features such as Answers, Delivers, and BI Publisher. The default Oracle Business Intelligence Application Roles (BIAdministrator, BIAuthor, BIConsumer) are automatically configured with these privileges during installation, in addition to the Oracle Business Intelligence Application Policy permissions.

Systems upgraded from a previous release can continue to use Catalog groups to grant these privileges, but this is not considered a best practice. Best practice is to use Application Roles to manage privileges, which streamlines the security management process. For example, using the same set of Application Roles throughout the system eliminates the need to manage a separate set of Catalog groups and member lists. For more information regarding how to continue using upgraded Catalog groups to manage Presentation Services Catalog privileges, see Section A.2.1, "Changes Affecting Security in Presentation Services".

Note:

Assigning an Application Role to be a member of a Catalog group creates complex group inheritance and maintenance situations and is not considered a best practice.

When groups are assigned to Application Roles, the group members are automatically granted associated Presentation Services Catalog privileges. This is in addition to the Oracle Business Intelligence permissions.

Tip:

A list of Application Roles that a user is a member of is available from the Roles and Groups tab in the My Account dialog in Presentation Services.

2.6.2 About Presentation Services Catalog Privileges

Presentation Services Catalog privileges are maintained in BI Presentation Catalog. Presentation Services privileges control access only to Presentation Services Catalog features. These privileges grant or deny access rights to Presentation Services features and have no effect in other Oracle Business Intelligence components.

Being a member of a group assigned to a default Application Role grants Presentation Services Catalog privileges, in addition to the Oracle Business Intelligence permissions discussed in Section B.4.1.3, "Default Application Roles, Permission Grants, and Group Mappings". The Presentation Services Catalog privileges granted by a default Application Role can be modified by adding or removing default privilege grants using the Manage Privileges page.

Whenever a new catalog is created, it is populated with the default Application Role to Presentation Services Catalog privilege mappings. If you have changed the default mappings and want to see the default associations, create a new catalog by pointing to a file location where no catalog exists. When the Oracle BI Presentation Server starts, a catalog is created as part of the initialization process.

Presentation Services privileges can be granted to users both explicitly and by inheritance. However, explicitly denying a Presentation Services privilege takes precedence over user access rights either granted or inherited as a result of group or Application Role hierarchy.

If you create an Application Role, you must set appropriate privileges for the Application Role in the Oracle BI Presentation Catalog to enable that role to perform various functional tasks. For example, you might want users with an Application Role named BISalesAdministrator to be able to create Actions in Oracle Business Intelligence. In this case, you would grant them a privilege named 'Create Invoke Action'.

Oracle BI Presentation Catalog privileges are stored in the BI Presentation Server and cannot be accessed from the administrative interfaces used to manage the policy store. If you have created a new Application Role to grant Oracle Business Intelligence permissions, then you must the set Presentation Services Catalog privileges to that new role in addition to any Oracle Business Intelligence permissions.

Click an Application Role next to the privilege that you want to edit to display the Manage Privileges page.

For example, to edit the privilege named 'Access to Scorecard' for the Application Role named BIConsumer, click the BIConsumer link next to Access\Access to Scorecard. The example screenshot below shows the Privilege dialog for the Access to Scorecard privilege.

Use the Privilege dialog to change permissions, grant privileges to Application Roles, and revoke privileges from an Application Role. For example, to grant the selected privilege to an Application Role, you must add the Application Role to the Permissions list.

To add an Application Role to the Permissions list, do the following:

Click Add Users/Roles.

Select Application Roles from the list and click Search.

Select the Application Role from the results list.

Use the shuttle controls to move the Application Role to the Selected Members list.

Click OK.

Set the permission for the Application Role by selecting Granted or Denied in the Permission list.

Note: Explicitly denying a Presentation Services privilege takes precedence over user access rights either granted or inherited as a result of group or Application Role hierarchy.

Save your changes.

Note:

Existing Catalog groups are migrated during the upgrade process. Moving an existing Presentation Services Catalog security configuration to the role-based Oracle Fusion Middleware security model based requires that each Catalog group be replaced with a corresponding Application Role. To duplicate an existing Presentation Services configuration, replace each Catalog group with a corresponding Application Role that grants the same Presentation Services Catalog privileges. You can then delete the original Catalog group from Presentation Services.

2.6.4 Advanced Security Configuration Topics

This section contains advanced topics.

2.6.4.1 About Encryption in BI Presentation Services

The Oracle BI Server and Oracle BI Presentation Services client support industry-standard security for login and password encryption. When an end user enters a user name and password in the Web browser, the Oracle BI Server uses the Hyper Text Transport Protocol Secure (HTTPS) standard to send the information to a secure Oracle BI Presentation Services port. From Oracle BI Presentation Services, the information is passed through ODBC to the Oracle BI Server, using Triple DES (Data Encryption Standard). This provides a high level of security (168 bit), preventing unauthorized users from accessing data or Oracle Business Intelligence metadata.

To enable high availability of the default embedded Oracle WebLogic Server LDAP Identity Store in a clustered environment, you configure the virtualize attribute. When you set the virtualize attribute value to true, Managed servers are able to use a copy of the embedded default Oracle WebLogic Server LDAP Identity Store.

To configure the virtualize attribute for high availability of the default embedded Oracle WebLogic Server LDAP Identity Store:

In Fusion Middleware Control, navigate to \Weblogic domain\bifoundation_domain in the navigation pane.